Municipality of Thiene – €3,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Municipality of Thiene was fined for publishing personal information about an employee's dismissal online. This case shows that public entities must be careful about how they share personal data.
What happened
The Municipality of Thiene published identifiable information about a person's dismissal on its public notice board.
Who was affected
The employee whose dismissal information was published, making them identifiable to the public.
What the authority found
The Italian DPA ruled that the municipality violated GDPR by disclosing personal data without proper legal grounds.
Why this matters
This case highlights the need for public entities to handle personal data with care, especially when it comes to sensitive information. It serves as a warning for all organizations about the risks of public disclosures.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The municipality (the controller) published on its online Public Notice Board, as well in a press release, information about the data subject's dismissal from work. The publication contained a matriculation number, which made the data subject identifiable. Subsequently, the data subject decided to file a complaint with the Italian DPA. The DPA initiated proceedings and requested more information from the controller. The controller argued that the information had been put through pseudonymisation first and only employees knew how to decrypt it. Furthermore, the online Notice Board was not indexed in search engines. With regards to the press release, the controller argued that the text was anonymous and did not allow for the identification of the data subject. Firstly, the Italian DPA held that the dissemination of personal data (such as publications on the Internet) by public entities is permitted, when provided for by law. Secondly, the matriculation number is considered an identification number, as it allows third parties to trace the identity of the data subject, and not authorised personnel only. Consequently, the DPA held that a matriculation number on online publications falls under the definition of "personal data" in Article 4(1) GDPR. The DPA reminded the controller that, as defined in Recital 26 GDPR, pseudonymisation is a mere technical measure and still makes it possible to trace the identity of a data subject in an indirect way or through use of additional information. With regards to the press release, the DPA held that there was no derogation from the principles on the protection of personal data. The DPA also reiterated that the principles of lawfulness and data minimisation apply to publication on online public notice boards, as clarified in the [https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1803707 "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for the purpo
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Municipality of Thiene in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 September 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€3,000
GDPRhub ID
gdprhub-5419About this data
Cite as: Cookie Fines. Municipality of Thiene - Italy (2022). Retrieved from cookiefines.eu
Last updated: